Changing Your WordPress Site to Comply With GDPR

24th May. Posted in Guides.

There seems to be a lot of confusion online amongst WordPress website owners over GDPR (General Data Protection Regulation). I’m a member of many WordPress groups and I’ve seen the same questions getting asked nearly every day by WordPress website owners panicking that their websites are not GDPR compliant and they are going to get into some kind of trouble. So, I’ll do my best to clear things up for the WordPress website owners out there.

Before I get started I need to state that I’m not a legal expert and you should consult a lawyer if you are still worried about your GDPR compliance.

A Quick GDPR Overview

GDPR has caused quite a stir over the past few months but it’s actually been in place for years. The reason people are getting worried about it at the moment is because the ICO will start enforcing GDPR on the 25th May 2018. This means that they can start fining website owners that fail to comply with GDPR.

GDPR has been put in place to help protect users privacy and keep their data secure. This is certainly not a bad thing in itself. We should all be concerned about our online privacy. The GDPR website says that GDPR is designed ‘..to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”.

Under GDPR, users have extra rights regarding their data. You need to inform them of these rights and make sure you handle their data responsibly. You should take some time to familiarise yourself with these rights on the ICO website.

Hopefully you’ll take the time to visit the websites above and learn the basics of GDPR. It’s still likely that you’ll have some questions about GDPR as a WordPress website owner so I’ll focus on answering common questions I’ve heard.

I’m from the US. Do I need to worry about GDPR?

Yes. GDPR will probably still affect your website. If you sell to EU customers or target them directly then you will obviously need to comply with GDPR. A more confusing scenario is that if your website is based in the US and you don’t directly target people in the EU. Let’s say you use Google Analytics on your website and someone from the EU visits your website. If you are tracking that visitor automatically and using that data in some way then that data will be subject to GDPR.

Are my plugins GDPR compliant?

This is a tricky one. Its hard to know exactly how many plugins work and some plugins send tracking information to their developers. This is not good news for GDPR compliance. I’d certainly do an audit of your plugins and do a Google search to see if the developers mention GDPR compliance on their websites. You should take the opportunity to disable any plugins you don’t need. This will make your website easier to maintain anyway.

Take Gravity Forms for example. It’s one of the most popular plugins around and by default it stores all form entries in your WordPress database. Holding the data there may be completely unnecessary. Not only is there a security risk of someone getting access to your website then being able to access lots of private information but its an extra place to go looking for data if you ever get a request from a customer who asks you what information you have or asking you to delete their information. You can use a handy bit of PHP code in your functions file to delete new entries from Gravity forms once they have been created which saves you this headache.

Can I still use Google Analytics?

Yes, but you’ll need to make some changes. Google Analytics have been very proactive in informing users about the coming changes. One of the things they have done is show everyone an alert telling them to review their data retention settings. They have introduced this feature to make it easier to manage the data you hold. If you’ve not changed this setting already, go to Admin > Tracking info > Data retention in your Analytics profile and choose a value from the select box. I’ve chosen 26 months. Once you have reviewed this setting, you can update your privacy policy and inform your users how long you hold this information and why you hold it.

Can I set cookies by default?

This question is a bit more tricky. GDPR states that users must give consent for cookies to be set and even if consent is given it should be just as easy for the user to remove consent and it is to give it. I’ve not seen any sites comply with this fully yet so it is unclear what the best practice will be going forward. Personally, I’d avoid making major changes in this area until some clear guidelines emerge and we site what some major websites implement.

Am I going to get fined?

It is very unlikely that you will ever be fined. The ICO does not go out of their way to find small businesses that don’t comply with GDPR. They only investigate issues in the event of a complaint made against you. If that happened they would get in touch and find out more about the situation. They would want to know what plans you have in place to be compliant with GDPR. If you’ve done absolutely nothing to prepare, they probably wouldn’t be very happy! But, even if you’ve started preparing but haven’t got everything in place yet they would probably be far more lenient.

Most small businesses would probably get a slap on the wrist and even if you did get fined it would not be the huge fines you may have read are possible. Those fines are maximum penalties that could apply to the biggest offenders. We’re talking about huge companies that process the data of millions of people here.

Remember, nobody is trying to put you out of business. Just don’t bury your head in the sand and expect GDPR to go away.

What changes do I need to make?

If you haven’t already you should do this as soon as possible:

  • Audit all the data you hold. Create a spreadsheet of the systems you have and what kind of information they hold. Find out if these systems are GDPR complaint in themselves.
  • Decide if you really need the data you hold. If you need it, decide how long it really needs to be kept.
  • Create a plan on responding to a request to delete data. You need to be able to remove data from your systems if a user were to contact you and exercise their ‘right to be forgotten’.
  • Do an audit of all the cookies your website set. You’ll need to list them all in your cookie policy.
  • Rewrite your cookie and privacy policies. There are lots of websites to get inspiration from now, and there are plenty of free templates you can use too.

These steps will give you a good start. Depending on your type of business, there may be much more you’ll need to do so you should definitely get legal advice if you are still worried about complying with GDPR.

Andy Clarke, a UK based web designer has created this handy privacy policy template:
Free GDPR Privacy Policy Template. This template is worth checking out and you’ll see that it’s really not that intimidating to create a similar policy of your own.

Final Thoughts

GDPR should help make all of our online information safer and help to protect our privacy. No matter what kind of business you operate or what country you operate in you should be doing your best to protect your users. GDPR is likely to be used as a benchmark for future laws too so the sooner your business has a good system in place for keeping data secure, the easier it will be for you in the future.

There are no comments yet.

Leave a Comment

Your email address will not be published. Required fields are marked *